Problems with the NTP specification

We start by identifying three fundamental problems with the NTP specification in RFC 5905, and then exploit these problems in four different off-path attacks on ntpd, the “reference implementation” of NTP.

Problem 1: Lack of respect for basic protection measures. The first issue stems from a lack of respect for TEST2, the mechanism that NTP uses to prevent off-path attacks. Off-path attacks are essentially the weakest (and therefore the most scary) threat model that one could consider for a networking protocol. An off-path attacker cannot eavesdrop on the NTP traffic of their targets, but can spoof IP packets i.e., send packets with a bogus source IP. This threat model captures ‘remote attacks’ launched by arbitrary IPs that do not occupy a privileged position on the communication path between the parties. (See Figure 5·2.)

NTP attempts to prevent off-path attacks much in the same way that TCP and UDP do: every client query includes a nonce, and this nonce is reflected back to the client in the server’s response. The client then checks for matching nonces in the query and response, i.e., “TEST2”. Because an off-path attacker cannot see the nonce (because it cannot eavesdrop on traffic), it cannot spoof a valid server response. Despite the apparent simplicity of this mechanism, its specification in RFC 5905 is flawed and leads to several off-path attacks.

Problem 2: Same code for different modes. NTP operates in several different modes. Apart from the popular client/server mode (where the client synchronizes to a time server), NTP also has a symmetric mode (where neighboring peers take time from each other), and several other modes.RFC 5905 recommends that all of NTP’s different modes be processed by the same codepath. However, we find that the security requirements of client/server mode and symmetric mode conflict with each other, and result in some of our off-path attacks.

Same code for different

modes

Lack of respect for basic protections (TEST2) Zero-0rigin timestamp DoS on symmetric mode Problems with RFC5905 Resulting Attacks Leaky control queries Interleaved pivot Leaky origin timestamp

Figure 5·1: Chapter overview.

Problem 3: Leaky control queries. NTP’s control-query interface is not specified in RFC 5905, but its specification does appear in the obsoleted RFC 1305 (Mills, 1992) from 1992 and a new IETF Internet draft (Mills and Haberman, 2016). We find that it can be exploited remotely to leak information about NTP’s internal timing state variables. While the DDoS amplification potential of NTP’s control query interface

is well known (Czyz et al., 2014a), (Kr¨amer et al., 2015), here we show that it is also

a risk to the correctness of time.

We exploit these three problems to find working off-path attacks on ntpd (Sec- tion 5.3-5.4, Appendix A), and use IPv4 Internet scans to identify millions of IPs that are vulnerable to our attacks (Section 5.5). The first three attacks maliciously shift time on a client using NTP’s client/server mode, and the fourth prevents time synchronization in symmetric mode.

Attack 1: Leaky Origin Timestamp Attack (Section 5.4). Our network scans find a

staggering 3.8 million IPs that leak the nonce used in TEST2 in response to control queries made from arbitrary IPs (CVE-2015-8139). An off-path attacker can mali- ciously shift time on a client by continuously querying for this nonce, and using it to spoof packets that pass TEST2.

attack (CVE-2015-8138) follows from RFC 5905, and is among the strongest timeshift- ing attacks on NTP that has been identified thus far. The attacker bypasses TEST2 by spoofing server response packets with their nonce set to zero. We use leaky NTP control queries as a side-channel to measure the prevalence of this attack. We find 1.3 million affected IPs. However, we expect that the true attack surface is even larger, since this attack itself does not require the control-query interface, works on clients operating in default mode, and has been part of ntpd for seven years (since ntpd v4.2.6, December 2009).

Attack 3: Interleaved-Pivot Attack (Section 5.4). Our third off-path timeshifting

attack (CVE-2016-1548) exploits the fact that NTP’s client/server mode shares the same codepath as NTP’s interleaved mode. First, the attacker spoofs a single packet that tricks the target into thinking that he is in interleaved mode. The target then rejects all subsequent legitimate client/server mode packets. This is a DoS attack (Section 5.4, Appendix A.2).

We further leverage NTP’s leaky control queries to convert this DoS attack to an off-path timeshifting attack. NTP’s control-query interface also leaks the nonce used in the special version of TEST2 used in interleaved mode. The attacker spoofs a sequence of interleaved-mode packets, with nonce value revealed by these queries, that maliciously shifts time on the client. Our scans find 1.3 million affected IPs. Attack 4: Attacks on symmetric mode (Appendix B). We then present security analy- sis of NTP’s symmetric mode, as specified in RFC 5905, and present off-path attacks that prevent time synchronization. We discuss why the security requirements of sym- metric mode are at odds with that of client/server mode, and may have been the root cause of the zero-0rigin timestamp attack.

Disclosure. Our disclosure timeline is in Appendix E. Our research was done against ntpd v4.2.8p6, the latest version as of April 25, 2016. Since then, three versions have

been released: ntpd v4.2.8p7 (April 26, 2016), ntpd v4.2.8p8 (June 2, 2016), ntpd v4.2.8p9 (November 21, 2016). Most of our attacks have been patched in these re- leases. We provide recommendations for securing the client/server mode in Section 5.7 and symmetric mode in Appendix B.4.